Add non-root user and configure cache directory in Dockerfile

Author: npv2k1

Dockerfile

@@ -1,6 +1,9 @@
 # Use a Python image with uv pre-installed
 FROM ghcr.io/astral-sh/uv:python3.11-bookworm
 
+# Create a non-root user
+RUN useradd -m -u 1000 appuser
+
 # Install the project into `/app`
 WORKDIR /app
 
@@ -12,15 +15,15 @@ ENV UV_LINK_MODE=copy
 
 # Install the project's dependencies using the lockfile and settings
 RUN --mount=type=cache,target=/root/.cache/uv \
-  --mount=type=bind,source=uv.lock,target=uv.lock \
-  --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
-  uv sync --frozen --no-install-project --no-dev
+    --mount=type=bind,source=uv.lock,target=uv.lock \
+    --mount=type=bind,source=pyproject.toml,target=pyproject.toml \
+    uv sync --frozen --no-install-project --no-dev
 
 # Then, add the rest of the project source code and install it
 # Installing separately from its dependencies allows optimal layer caching
 ADD . /app
 RUN --mount=type=cache,target=/root/.cache/uv \
-  uv sync --frozen --no-dev
+    uv sync --frozen --no-dev
 
 # Place executables in the environment at the front of the path
 ENV PATH="/app/.venv/bin:$PATH"
@@ -29,9 +32,16 @@ ENV PATH="/app/.venv/bin:$PATH"
 ENTRYPOINT []
 
 # Run setup.py
-
 RUN python setup.py
 
+# Create cache directory and set permissions
+RUN mkdir -p /.cache/selenium && \
+    chown -R appuser:appuser /.cache/selenium && \
+    chmod 755 /.cache/selenium
+
+# Set user
+USER appuser
+
 EXPOSE 7860
 # Run the FastAPI application by default
 # Uses `fastapi dev` to enable hot-reloading when the `watch` sync occurs